Tailoring Computer Security for Industrial Controls

Electricity, power, water, communications, waste treatment—we call the facilities that supply these services our “critical” infrastructures because they truly are critical to the health, safety and quality of everyday life. And because they are so critical, the computer systems used to control these infrastructure operations need to be rigorously protected against security breaches.

The National Institute of Standards and Technology (NIST) is soliciting public comments on a proposed expansion to its Special Publication 800-53 that provides specific requirements and guidance for protecting industrial control systems managed by federal agencies or their contractors. Produced through a partnership of NIST information technology and manufacturing engineering experts, the proposed expanded text is included in two appendices that describe how to tailor a computer security plan to an industrial control environment.

For example, certain requirements for general information security like screen locks that require the user to reenter a password after specific periods of inactivity, are impractical in some industrial control settings. Instead, compensating controls such as rigorous physical security controls, may need to be implemented to protect the system from unauthorized access at the console. Requirements for remote access monitoring or cryptography, as well as for testing of updates or patches also may need to be handled differently for industrial control systems than for general information systems.

“We produced these security strategies for federal agency use,” said NIST project leader Stuart Katzke, “however we hope that the private-sector industrial control community will consider adopting them as well.”

Under the Federal Information Security Management Act of 2002, NIST is tasked with producing computer security standards and guidelines to help federal agencies effectively protect and manage their information technology systems.